diff options
| author | tb <> | 2025-06-04 10:25:30 +0000 |
|---|---|---|
| committer | tb <> | 2025-06-04 10:25:30 +0000 |
| commit | 2237cbfc7bb81e07c1a424f450cd6e0946803679 (patch) | |
| tree | 8f470e546a5c409018388adebb280454e825ec7c /src | |
| parent | 69a9721f18801a1e219f9278f5727931a972360e (diff) | |
| download | openbsd-2237cbfc7bb81e07c1a424f450cd6e0946803679.tar.gz openbsd-2237cbfc7bb81e07c1a424f450cd6e0946803679.tar.bz2 openbsd-2237cbfc7bb81e07c1a424f450cd6e0946803679.zip | |
libtls: abort handshake on no ALPN protcol overlap
RFC 7301, section 3.2: In the event that the server supports no
protocols that the client advertises, then the server SHALL respond
with a fatal "no_application_protocol" alert.
This change makes tlsext_alpn_server_process() send the alert
rather than pretending no callback was present.
ok jsing
Diffstat (limited to 'src')
| -rw-r--r-- | src/lib/libtls/tls_server.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c index a94b4221ed..42a697327a 100644 --- a/src/lib/libtls/tls_server.c +++ b/src/lib/libtls/tls_server.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_server.c,v 1.51 2024/03/26 08:54:48 joshua Exp $ */ | 1 | /* $OpenBSD: tls_server.c,v 1.52 2025/06/04 10:25:30 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -75,7 +75,7 @@ tls_server_alpn_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen, | |||
| 75 | OPENSSL_NPN_NEGOTIATED) | 75 | OPENSSL_NPN_NEGOTIATED) |
| 76 | return (SSL_TLSEXT_ERR_OK); | 76 | return (SSL_TLSEXT_ERR_OK); |
| 77 | 77 | ||
| 78 | return (SSL_TLSEXT_ERR_NOACK); | 78 | return (SSL_TLSEXT_ERR_ALERT_FATAL); |
| 79 | } | 79 | } |
| 80 | 80 | ||
| 81 | static int | 81 | static int |